{"id":10164,"library":"python-kadmin-rs","title":"Python Kadmin RS","description":"Python interface to the Kerberos administration interface (kadm5), providing a safe and idiomatic way to manage Kerberos principals and policies. It leverages a Rust implementation (kadmin-rs) for enhanced safety and performance. The library is currently at version 0.7.0 and sees active development with releases tied to new features or bug fixes.","status":"active","version":"0.7.0","language":"en","source_language":"en","source_url":"https://github.com/authentik-community/kadmin-rs.git","tags":["kerberos","authentication","kadm5","admin","security","kdc"],"install":[{"cmd":"pip install python-kadmin-rs","lang":"bash","label":"Install package"}],"dependencies":[{"reason":"System-level Kerberos development libraries are required for building and running the underlying Rust component that `python-kadmin-rs` wraps.","package":"libkrb5-dev (Debian/Ubuntu) or krb5-devel (RHEL/CentOS)","optional":false}],"imports":[{"symbol":"Client","correct":"from kadmin_rs.client import Client"}],"quickstart":{"code":"import os\nfrom kadmin_rs.client import Client\n\n# IMPORTANT: Replace with your actual Kerberos admin principal and keytab path.\n# For testing, you can set these environment variables:\n# export KADMIN_ADMIN_PRINCIPAL=\"admin/admin@EXAMPLE.COM\"\n# export KADMIN_KEYTAB_PATH=\"/etc/krb5.keytab\"\n# Ensure Kerberos is properly configured and the keytab is valid.\n\nadmin_principal = os.environ.get(\"KADMIN_ADMIN_PRINCIPAL\", \"admin/admin@EXAMPLE.COM\")\nkeytab_path = os.environ.get(\"KADMIN_KEYTAB_PATH\", \"/etc/krb5.keytab\")\n\ntry:\n client = Client.with_keytab(\n principal=admin_principal,\n keytab_path=keytab_path,\n )\n print(f\"Kadmin client connected as {admin_principal}\")\n\n # List all principals\n all_principals = client.list_principals()\n print(f\"Found {len(all_principals)} principals.\")\n if all_principals:\n print(f\"First principal: {all_principals[0]}\")\n\nexcept Exception as e:\n print(f\"Error initializing Kadmin client or listing principals: {e}\")\n print(\"Please check your Kerberos configuration, admin principal, and keytab path.\")\n print(\"Also ensure system Kerberos development libraries are installed (e.g., libkrb5-dev).\")\n","lang":"python","description":"Demonstrates how to initialize a `Client` using a keytab file and list Kerberos principals. Requires proper Kerberos setup and a valid admin principal with a keytab."},"warnings":[{"fix":"Install the appropriate Kerberos development package for your OS before installing `python-kadmin-rs` (e.g., `sudo apt install libkrb5-dev`).","message":"The library wraps a Rust implementation, which in turn depends on system-level Kerberos development libraries (e.g., `libkrb5-dev` on Debian/Ubuntu, `krb5-devel` on RHEL/CentOS). Installation will fail or runtime errors will occur without these.","severity":"gotcha","affected_versions":">=0.1.0"},{"fix":"If upgrading from a version older than 0.6.0, update calls to `add_principal` and `modify_principal` to use a single `valid_until` `datetime` object instead of `valid_start` and `valid_end`.","message":"The `add_principal` and `modify_principal` methods had their time-related arguments changed in version 0.6.0. Previously, they accepted `valid_start` and `valid_end` (`datetime` objects). Now, they accept only `valid_until` (a single `datetime` object).","severity":"breaking","affected_versions":">=0.6.0 (breaking for users upgrading from <0.6.0)"},{"fix":"Always use secure paths for keytabs, restrict file permissions (`chmod 400`), and avoid hardcoding sensitive paths directly in code. Prefer environment variables or secure configuration management systems.","message":"Handling Kerberos credentials (keytabs or credential caches) requires careful security considerations. Ensure keytab files are properly secured with minimal permissions and that credential caches are protected.","severity":"gotcha","affected_versions":">=0.1.0"},{"fix":"Double-check principal names, including realm, and ensure they match the Kerberos KDC configuration exactly. The library does not normalize names; it passes them directly to `kadm5`.","message":"Kerberos principal names are strict (e.g., `user/service@REALM.COM`). Incorrect formatting can lead to connection failures or 'Principal does not exist' errors, even if it looks superficially similar to an existing one.","severity":"gotcha","affected_versions":">=0.1.0"}],"env_vars":null,"last_verified":"2026-04-17T00:00:00.000Z","next_check":"2026-07-16T00:00:00.000Z","problems":[{"fix":"Ensure system Kerberos development libraries are installed (e.g., `sudo apt install libkrb5-dev` or `sudo yum install krb5-devel`) and then reinstall the Python package: `pip install --no-cache-dir python-kadmin-rs`.","cause":"The `python-kadmin-rs` library or its underlying Rust components were not installed correctly, most commonly due to missing system Kerberos development headers.","error":"ImportError: cannot import name 'Client' from 'kadmin_rs.client' (/path/to/venv/lib/python3.X/site-packages/kadmin_rs/client.py)"},{"fix":"Verify the principal name is exactly correct (including case and realm), ensure the keytab file exists and is readable, and confirm the KDC is reachable from the client. Check `/etc/krb5.conf` for correct realm and KDC server details. Use `klist -kt ` to inspect keytab contents.","cause":"This usually indicates an issue with the Kerberos configuration, such as an incorrect principal name, an invalid keytab path, an unreachable KDC, or problems with the `/etc/krb5.conf` file.","error":"kadmin_rs.errors.KadminError: Principal does not exist (or Cannot contact KDC for realm EXAMPLE.COM)"},{"fix":"Double-check the `keytab_path` variable to ensure it points to an existing keytab file. Verify that the Python process has read permissions for the file (e.g., using `ls -l ` and `whoami`).","cause":"The specified `keytab_path` provided to `Client.with_keytab()` does not exist or is not accessible/readable by the user running the Python script.","error":"kadmin_rs.errors.KadminError: Failed to initialize KDC client: No such file or directory (os error 2)"}]}